resources:
- name: db
  resource:
    '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
    connectTimeout: 5s
    edsClusterConfig:
      edsConfig:
        ads: {}
        resourceApiVersion: V3
    name: db
    transportSocket:
      name: envoy.transport_sockets.tls
      typedConfig:
        '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
        commonTlsContext:
          alpnProtocols:
          - kuma
          combinedValidationContext:
            defaultValidationContext:
              matchTypedSubjectAltNames:
              - matcher:
                  exact: spiffe://demo/db
                sanType: URI
            validationContextSdsSecretConfig:
              name: mesh_ca:secret:demo
              sdsConfig:
                ads: {}
                resourceApiVersion: V3
          tlsCertificateSdsSecretConfigs:
          - name: identity_cert:secret:demo
            sdsConfig:
              ads: {}
              resourceApiVersion: V3
        sni: db{mesh=demo}
    type: EDS
    typedExtensionProtocolOptions:
      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
        '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
        explicitHttpConfig:
          http2ProtocolOptions: {}
- name: elastic
  resource:
    '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
    connectTimeout: 5s
    edsClusterConfig:
      edsConfig:
        ads: {}
        resourceApiVersion: V3
    healthChecks:
    - healthyThreshold: 2
      interval: 5s
      tcpHealthCheck: {}
      timeout: 4s
      unhealthyThreshold: 3
    name: elastic
    transportSocket:
      name: envoy.transport_sockets.tls
      typedConfig:
        '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
        commonTlsContext:
          alpnProtocols:
          - kuma
          combinedValidationContext:
            defaultValidationContext:
              matchTypedSubjectAltNames:
              - matcher:
                  exact: spiffe://demo/elastic
                sanType: URI
            validationContextSdsSecretConfig:
              name: mesh_ca:secret:demo
              sdsConfig:
                ads: {}
                resourceApiVersion: V3
          tlsCertificateSdsSecretConfigs:
          - name: identity_cert:secret:demo
            sdsConfig:
              ads: {}
              resourceApiVersion: V3
        sni: elastic{mesh=demo}
    type: EDS
    typedExtensionProtocolOptions:
      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
        '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
        explicitHttpConfig:
          http2ProtocolOptions: {}
- name: kuma:envoy:admin
  resource:
    '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
    altStatName: kuma_envoy_admin
    connectTimeout: 5s
    loadAssignment:
      clusterName: kuma:envoy:admin
      endpoints:
      - lbEndpoints:
        - endpoint:
            address:
              socketAddress:
                address: 127.0.0.1
                portValue: 9902
    name: kuma:envoy:admin
    type: STATIC
- name: localhost:8080
  resource:
    '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
    altStatName: localhost_8080
    connectTimeout: 10s
    loadAssignment:
      clusterName: localhost:8080
      endpoints:
      - lbEndpoints:
        - endpoint:
            address:
              socketAddress:
                address: 192.168.0.1
                portValue: 8080
    name: localhost:8080
    type: STATIC
- name: db
  resource:
    '@type': type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment
    clusterName: db
    endpoints:
    - lbEndpoints:
      - endpoint:
          address:
            socketAddress:
              address: 192.168.0.3
              portValue: 5432
        loadBalancingWeight: 1
        metadata:
          filterMetadata:
            envoy.lb:
              role: master
            envoy.transport_socket_match:
              role: master
- name: elastic
  resource:
    '@type': type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment
    clusterName: elastic
    endpoints:
    - lbEndpoints:
      - endpoint:
          address:
            socketAddress:
              address: 192.168.0.4
              portValue: 9200
        loadBalancingWeight: 1
- name: inbound:192.168.0.1:80
  resource:
    '@type': type.googleapis.com/envoy.config.listener.v3.Listener
    address:
      socketAddress:
        address: 192.168.0.1
        portValue: 80
    enableReusePort: false
    filterChains:
    - filters:
      - name: envoy.filters.network.rbac
        typedConfig:
          '@type': type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC
          rules: {}
          statPrefix: inbound_192_168_0_1_80.
      - name: envoy.filters.network.tcp_proxy
        typedConfig:
          '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
          cluster: localhost:8080
          idleTimeout: 7200s
          statPrefix: localhost_8080
      transportSocket:
        name: envoy.transport_sockets.tls
        typedConfig:
          '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
          commonTlsContext:
            combinedValidationContext:
              defaultValidationContext:
                matchTypedSubjectAltNames:
                - matcher:
                    prefix: spiffe://demo/
                  sanType: URI
              validationContextSdsSecretConfig:
                name: mesh_ca:secret:demo
                sdsConfig:
                  ads: {}
                  resourceApiVersion: V3
            tlsCertificateSdsSecretConfigs:
            - name: identity_cert:secret:demo
              sdsConfig:
                ads: {}
                resourceApiVersion: V3
          requireClientCertificate: true
    metadata:
      filterMetadata:
        io.kuma.tags:
          kuma.io/service: backend
    name: inbound:192.168.0.1:80
    trafficDirection: INBOUND
- name: kuma:envoy:admin
  resource:
    '@type': type.googleapis.com/envoy.config.listener.v3.Listener
    address:
      socketAddress:
        address: 192.168.0.1
        portValue: 9902
    enableReusePort: false
    filterChains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typedConfig:
          '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          httpFilters:
          - name: envoy.filters.http.router
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
          routeConfig:
            validateClusters: false
            virtualHosts:
            - domains:
              - '*'
              name: kuma:envoy:admin
              routes:
              - match:
                  prefix: /ready
                route:
                  cluster: kuma:envoy:admin
                  prefixRewrite: /ready
          statPrefix: kuma_envoy_admin
    - filterChainMatch:
        transportProtocol: tls
      filters:
      - name: envoy.filters.network.http_connection_manager
        typedConfig:
          '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          httpFilters:
          - name: envoy.filters.http.router
            typedConfig:
              '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
          routeConfig:
            validateClusters: false
            virtualHosts:
            - domains:
              - '*'
              name: kuma:envoy:admin
              routes:
              - match:
                  prefix: /
                route:
                  cluster: kuma:envoy:admin
                  prefixRewrite: /
          statPrefix: kuma_envoy_admin
      transportSocket:
        name: envoy.transport_sockets.tls
        typedConfig:
          '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
          commonTlsContext:
            tlsCertificates:
            - certificateChain:
                inlineBytes: Y2VydFBFTQ==
              privateKey:
                inlineBytes: a2V5UEVN
            validationContext:
              matchTypedSubjectAltNames:
              - matcher:
                  exact: kuma-cp
                sanType: DNS
              trustedCa:
                inlineBytes: Y2FQRU0=
          requireClientCertificate: true
    listenerFilters:
    - name: envoy.filters.listener.tls_inspector
      typedConfig:
        '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
    name: kuma:envoy:admin
    trafficDirection: INBOUND
- name: outbound:127.0.0.1:54321
  resource:
    '@type': type.googleapis.com/envoy.config.listener.v3.Listener
    address:
      socketAddress:
        address: 127.0.0.1
        portValue: 54321
    filterChains:
    - filters:
      - name: envoy.filters.network.tcp_proxy
        typedConfig:
          '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
          cluster: db
          idleTimeout: 0s
          statPrefix: db
    metadata:
      filterMetadata:
        io.kuma.tags:
          kuma.io/service: db
    name: outbound:127.0.0.1:54321
    trafficDirection: OUTBOUND
- name: outbound:127.0.0.1:59200
  resource:
    '@type': type.googleapis.com/envoy.config.listener.v3.Listener
    address:
      socketAddress:
        address: 127.0.0.1
        portValue: 59200
    filterChains:
    - filters:
      - name: envoy.filters.network.tcp_proxy
        typedConfig:
          '@type': type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
          cluster: elastic
          idleTimeout: 0s
          statPrefix: elastic
    metadata:
      filterMetadata:
        io.kuma.tags:
          kuma.io/service: elastic
    name: outbound:127.0.0.1:59200
    trafficDirection: OUTBOUND
- name: identity_cert:secret:demo
  resource:
    '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret
    name: identity_cert:secret:demo
    tlsCertificate:
      certificateChain:
        inlineBytes: Q0VSVA==
      privateKey:
        inlineBytes: S0VZ
- name: mesh_ca:secret:demo
  resource:
    '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret
    name: mesh_ca:secret:demo
    validationContext:
      trustedCa:
        inlineBytes: Q0E=
